Author Archives: NetTools

How To Edit an AD object’s Permissions

Features shown in this post are only available in NetTools v1.31.6 and above.

NetTools provides the ability to edit the permissions of the objects in Active Directory.  An object's permissions can be edited from the Permissions dialog, which provides similar functionality to the ADUC permissions dialog, but provides more control over the configuration of the permission than the native tools.  The Permissions dialog is accessed via the Permissions options on the context menu, which is available throughout NetTools.

Permissions dialog

By default the Permissions dialog opens in read-only mode, to enable editing of the permissions, right click on the list of permissions and select Edit from the context menu.  Once selected the edit control bar is displayed at the bottom of the permissions list.

Edit Permissions
Edit Permissions

The buttons on the edit control bar allow you to add, edit, and remove permissions.  The Restore Defaults button, will restore the default permissions for the object, as defined in the schema for the object.  The Inherit permissions from parent option allows block inheritance from the parent object, when unselected, you are presented the option to copy the existing inherited permissions.

It is possible to update both the DACL or SACL permissions of an object, but you can only edit one at a time, you must save or cancel any edits before editing the other permissions on the other tab.

If the Permissions dialog is opened not based on an AD object and the status bar doesn't display the DN of the object, then the Save and Restore Defaults buttons are not displayed, this allows you to modal the permissions but not save them.

The following dialog is shown when adding a new permission or editing an existing permission:

Add or Edit Permissions

The top part of the dialog is used to select the trustee, the access type, and how the permissions are inherited, and the lower section specifies the permissions that will be set.

The edit permissions can be used in conjunction with the Effective Rights tab to model the permissions.

Who can reset your Domain Admin’s password?

If you manage an AD environment, understanding who can reset the password of an account that is a member of domain admins is critical to the security of your environment.  A Domain Admin accounts hold the keys to your AD, if one of these accounts gets compromised and used by a bad actor, it's going to be a bad day at the office.

In this post we will look at how we can use NetTools to report on who can reset the password of your Domain Admin accounts .  This information can be used to identify potential security issues that might need to be addressed to increase the security posture of your environment.

The AD Permissions Reporter can be used to report on what permissions are assigned to specific objects and understand who has the rights to make changes.  The AD Permissions Reporter is located in under the Access Control in the Options selection pane of the left side.  By selecting the AD Permissions Reporter the default screen is displayed as shown below.

AD Permissions Reporter

We will build a new Advanced Filter to report on permissions providing these rights, if you want to skip the building of the Filter, you can skip to the bottom of the post where you can find the Filters that you can simply import.

Who can reset the Domain Admins Passwords

To be able to reset the password on an account, you need the Reset Password right, this can be assigned as specific right or when all rights are assigned, this means we will need to build an Advanced Filter which has multiple rules.

The Domain Admins group and any members, including nested members, are protected from the SDProp process and this process will assign permissions to these users and groups based on the permissions assigned to the AdminSDHolder container.  We will use this behavior to help simplify the report that we need to do, as we don't need to query the individual users, as they will have the same permissions irrespective of their location in the AD.

For more information on the SDProp process see SDProp.

At the option screen click on the Select button to open the Select Filter dialog, as we are going to create a new filter click on the Add button.  This will display the new Permissions Filter dialog.

Permissions Filter - Basic

In the Filter Name field enter 'Who can reset Domain Admins Passwords' and then click on Advanced Filter button which will open the Advanced Filter .

Who can reset domain admins passwords

First we need to define the scope of the Filter, and as we are going to use the AdminSDHolder for this filter, we will set an LDAP Filter to select it.  Untick All Objects in the Object Scope section and select LDAP Filter.  Make sure the Search Scope is set Sub Tree.  In the Filter field enter the following Filter:

(name=adminsdholder)

Make sure that the Match all option in the Matching Logic is set.

Next we need to set the Permission we want to search for, Expand the Permissions section.  Set the Matching Rule to All and check the Extended Right option and from the dropdown list select "reset password" option.  Your Filter should look like this:

Who can reset domain admins passwords - Rule 1

This rule covers the specific granting of the reset password right, however users that have been assigned the All Validate Rights can also reset the password, so we need to add another rule to search for this permission as well.

On the left side click on the Add button under the Filter Rules, this will add a new Rule2 entry.  With version V1.31.3 and below there is a bug which resets the Object Scope when a new Rule is created, you just need reselect the LDAP Filter option.

As we want to return permissions if either of these Rules are matched, select the Or option in the Multi-rule Logic

Select the Match all option in the Matching Logic Section

Expand the Permissions section, select the Extended Rights option.  As we want to return the All Extended Rights, we need to select -None- from the dropdown list.

Who can reset domain admins passwords - Rule 2

Click on the OK to save the Filter.  In the Select Filter window click on Select.

With the Filter selected click on Go.  Once the scan has completed you should get something like this:

Who can reset domain admins passwords - Results

The results show you which permissions provide the rights to reset the password.  Now to find out which users have these permissions, we need to select the Report View tab, which displays all the permissions in a list view, now by right clicking on one of the permissions and selecting List Users from the context menu, you will get the complete list of users that have these rights in your environment.

context Menu - List Users

This will switch to the Group Members option and will display all the users and members of the groups.  This is the list of users that have the rights to reset the password on the Domain Admin accounts.

List of Users

Filters

If you you don't want to build the filter yourself, here is the save filter, you just need to copy the text below and import as a filter, see How to Import Filter

Who can reset Domain Admins Passwords

[Who can reset Domain Admins Passwords]
LDAPFilter=(name=adminsdholder)
Count=2
Options=18944
Rule1_Enabled=1
Rule1_Options=1281
Rule1_SDControl=0
Rule1_SDNotControl=0
Rule1_SDNullAcl=0
Rule1_Prompt=0
Rule1_Token=0
Rule1_AuthGroups=0
Rule1_Scope=8
Rule1_NotScope=0
Rule1_ACEType=0
Rule1_ACEFlags=0
Rule1_ACENotFlags=0
Rule1_Perms=256
Rule1_NotPerms=0
Rule1_Property=00299570-246D-11D0-A768-00AA006E0529
Rule1_NoProperty=0
Rule1_PropType=4
Rule1_MatchRules=546
Rule2_Enabled=1
Rule2_Options=1281
Rule2_SDControl=0
Rule2_SDNotControl=0
Rule2_SDNullAcl=0
Rule2_Prompt=0
Rule2_Token=0
Rule2_AuthGroups=0
Rule2_Scope=8
Rule2_NotScope=0
Rule2_ACEType=0
Rule2_ACEFlags=0
Rule2_ACENotFlags=0
Rule2_Perms=256
Rule2_NotPerms=0
Rule2_Property=00299570-246D-11D0-A768-00AA006E0529
Rule2_NoProperty=1
Rule2_PropType=4
Rule2_MatchRules=530

GPO Explorer – GPO Test Details

Some of the Features and Tests listed here are only available in NetTools v1.31.4 and above

The Test feature in GPO Explorer provides similar functionality as provided by the retired Microsoft GPOTool.exe utility.  This post provides the details of the tests that are completed and how the results are compared to the other selected DCs.

The test feature appears in two locations in GPO Explorer, one as a tab on the individual policy details and other at the domain level to test multiple GPOs at once.  While how the results are display are different between the two test types, the same testing is completed for both instances.

The Domain option looks like this and provides a very similar output to the retired GPOTool.exe

GPO Testing Results

The individual test looks like this:

GPO Testing Results - Individual

DC Selection

By default the tests are performed against all the DCs in the domain, however, it's possible to define which DCs you want to include in the test.  The Domain level test, as shown above, provides a list of DCs that have been discovered, you can limit which DCs will be included in the test by selecting as required DCs.  This selection is then used for both the Domain and Individual tests.

Test Details

The testing is completed in two phases, first the details are collected from each of selected DCs and then in phase two the captured details are compared across all the selected DCs.  The first selected DC in the server list is used as the source and all the other DCs are compared against this DC, you can change this by using the context menu to moving another DC to the top of the list, and this will be used as the source DC.

During the Collection phase the following details are captured and tests performed:

  • Display Name of the Policy
  • Sysvol Path
  • Functionality Version
  • GPO Flags
  • GPO Version Number (User and Machine)
  • WMI Filter assigned
  • GPO Machine Extensions
  • GPO User Extensions
  • When Created
  • When Last Changed
  • AD Permissions
  • Number of sub AD objects under the GPO for both User and Machines settings
  • Check the Sysvol path is accessible
  • Capture the security permissions of the root of the policy folder
  • Check that the trustees assigned Apply Group Policy right in the AD have access to the following location in Sysvol path:
    • Root of the policy folder
    • GPT.ini
    • User folder
    • Machines folder
  • Capture the GPO version details from GPT.ini file (User and Machine)
  • Capture the file count, total file size, and directory count for these sub directories:
    • Machine
    • User

Once the details have been captured from all the selected DCs phase two will then compare each of these values to confirm the details are the same across all the DCs.  If there are any differences it will report an error or the traffic lights indicators for the test will be Red.   The Compare phase, in addition to comparing the details captured in phase one it will also complete the following tests:

  • Compare the AD DACL ACE Count
  • Compare the Sysvol DACL ACE Count
  • Confirm the ACE in the Sysvol DACL are in the same order
  • Compare the AD Security Descriptor
  • Compare the Sysvol Security Descriptor
  • Check for duplicate ACEs
  • Check the order of the permisions

The Individual test option displays the results as pass\fail and doesn't provide much in the way of  detail on the reason for the failure.  However the Domain level test does provide details of the information captured and failure details, when the Display Policy Details option is selected before running the test.

If any of the AD replication tests fail you can select the individual GPO and use the Context Menu option to run a Check AD Replication test on the GPO AD object, this will automatically populate the Attribute Replication test for you.

Check AD Permissions

Debug Option

The GPO test also provide additional debug information in the Domain level test, which is helpful if you are are trying to diagnose ACL issues as reported by the GPMC Status report.  This debug option is not enabled by default and can only be enabled by manually editing the NetTools.ini file.

  1. Open the NetTools.ini file
  2. Search for [SavedOptions]
  3. Add GPODebug=true after the heading
[SavedOptions] 
GPODebug=true

How To Read the contents of Registry.pol files

The registry.pol files are used to store Group Policies settings, these files typically exist in the Group Policy Template (GPT) which is hosted in the sysvol share on the domain controllers, but can also exit on local systems.

GPO settings in the Registry.pol files are saved in a binary format, and the normal AD GPO management tools don't provide a method to show the contains of these files.  NetTools v.1.31.3 and above includes an option to be display the contents of these files.

This option exists under the GPO Explorer option, once the Refresh button has been clicked the GPO details are displayed. The Registry.pol Reader option is the last option in the left hand pane.

Registry.pol Reader

To open a registry.pol file, right click on the Registry.pol Reader entry and select Open Policy File option from the context menu.

GPO Explorer Context Menu

Select the file using the file browser, once the file is selected the contents of the file are displayed in the right hand pane.  This view uses the same navigation as with the Settings tab for a policy.

Registry.pol Reader - Settings

Note: NetTools is a 32 bit application, and when accessing the system32 folder on the local system drive, wow64 will be used when browsing system directories and as a result, some files that you expecting to find, might not be shown in the file browser dialog.  If this happens, using file explorer, copy the file from the system directory to non-system directory i.e. c:\temp and try again.

How To Delegate Windows DNS Policies

DNS Policies were introduced in Windows 2016 and provide the ability to define policies or rules that controls the results that are returned by the DNS server.  This functionality can be used to implement:

  • High availability of DNS services
  • Traffic management
  • Split-brain DNS
  • Redirection based on date/time

Unlike other DNS services DNS Policies can only be managed by Domain Admins, in this article we look at what changes need to be made to allow DNSAdmins to be able to manage DNS Policies.

Normally the DNSAdmin group provides rights to manage DNS services, however, it appears these permissions haven't been extended fully to the DNS Policies.  The configuration details for the DNS Policies are saved in the AD and the local registry of the DNS server.  While DNSAdmins have rights to the AD, the group has not been grant rights to registry to be able to create DNS Polcies.

To be able to delegate permissions to the DNSAdmins group, you will need to update the registry with additional permissions for DNSAdmins.

Open Regedit and navigate to 'Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server' On the Permissions for the DNS Server key, and add DNSAdmin full control.

This screenshot shows that the DNSAdmins group has been granted the extra rights.

DNS Policies - Registry Permissions

How To Delegate Object Restoration Rights

In this post we will look at how to delegation the restoration of deleted objects using the AD Recycle Bin.

First we need to enable AD Recycle Bin, this is enabled by default on newly built forests with DC of Windows 2012 and above, for older forests all the domain controllers must be Windows 2008 R2 and above and you will need to run this command from a PowerShell command prompt to enable AD Recycle Bin:

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target <your domain>

By default only domain administrators have the rights to restore object that have been deleted, the following steps will delegate the ability to restore deleted objects to the members of the "Restore_Objects" group.

1.  Create an new AD group called 'Restore_Objects', the group can be a local, global or universal depending on your requirements

2.  Next we need to set restoration rights on the root of the domain, open a command prompt with Run As Administrator rights and run the following command:

dsacls dc=<your domain>,dc=<com> /g "restore_objects:ca;Reanimate Tombstones"
Root Permissions

3.  To be able to change the security on the Deleted Object container, we first need to take ownership of the container, from the same command prompt run the following command:

dsacls "CN=Deleted Objects,dc=<your domain>,dc=<com>" /takeownership

4.  Now we are owners of the Deleted Objects container we can update the permissions, first we will assign the delegation group the rights to list the contents of the Deleted Objects container and read the properties of the objects using the following command:

dsacls "cn=deleted objects,dc=<your domain>,dc=<com>" /g "restore_objects:LCRP"
Deleted Object Permissions

The permissions set so far provide the Restore_Objects group with the rights to restore objects and view the contains of the Deleted Objects container.  However, they can't restore objects yet, they also need write permissions to the properties of the objects that have been deleted in order to be able to restore them.

Depending on your requirements, you can assign the properties permissions at the root of the domain so the Restore_Objects members can restore any deleted object in the domain or you can limit the delegation to a particular OU or object type.

This is the command to assign the required permissions

dsacls "ou=<your ou>,dc=<your domain>,dc=<com>" /I:T /g "restore_objects:WPCC"

This shows the permissions assigned at the OU level:

OU Permissions

In this case the members of the Restore_Object group, will be able to see all the of the Deleted Object but will only be able to restore the objects that were deleted from Restore OU, unless they have been assigned Write All Properties (WP) and Create Child (CC) rights through other permissions.

To restore objects you can use the Restore Objects option in LDAP Browser, see How To Restore AD Deleted Objects for more details.

How To View the Permissions that will be assigned by the SDProp Process

This is a quick post to show how to display the permissions that will be assigned by the SDProp Process.

The SDProp process uses the AdminSDHolder container object as a template for the permissions that will be assigned to any users or groups that are protected by the SDProp Process. For more details on the SDProp Process see the SDProp Option.  The permissions assigned to the ADminSDHolder are used to replace the existing permissions when an object first comes into scope, or if the permissions of an existing in scope object are changed.

Using the NetTools Permission Browser option (formally - ACL Browser) is it very simple to view the permissions.  In the left hand pane navigate to the Access Control - Permissions Browser option.

Click on the Refresh button, this will display the directory tree, navigate down the tree to CN=System, CN=AdminSDHolder.  With the AdminSDHolder object selected the permissions will be displayed in the middle pane:

AdminSDHolder Permissions

We can use the Permission Compare feature to confirm that the permissions have been applied to a protected object.  In the tree view of the Permissions Browser right click on the AdminSDHolder node and select Select Left SD to Compare

Select Left SD to Compare

Using the Quick Search option we can search for a protected group i.e. Domain Admins.

Quick Search - Domain Admins

From the search results right click on the domain admins group and select Compare to 'AdminSDHolder' SD

Select Right Compare AdminSDHolder

This will display the Compare Permissions dialog, allowing you to confirm that the AdminSDHolder permissions have been applied to the Domain Admins group, you can repeat these steps to confirm any of the users or groups that are protected by the SDProp process.

Compare Permissions - AdminSDHolder

NetTools v1.31.0

AD Permissions Reporter    
A reporting option to report and search for permissions that have been assigned in the AD, supports both basic and advanced filters. See AD Permissions Reporter.

Certificate Checker    
A new feature to verify the certificate that are assigned to website, including the revocation status, More details available here.

Compare AD Permissions    
Context menu option to compare the permissions of different objects.  See How to compare AD permissions.

Object Replication    
A new feature to test if AD objects and their attributes are replicated across the domain controllers in the domain. See Object Replication for more information.

SDDL Viewer    
A new feature to display SDDL strings in the Permissions dialog.  More details available here.

Find Trustee Assignments
Depreciated

AD Permissions Browser
ACL Browser renamed to AD Permissions Browser
Updated context menu to support option to export a permission as a dsacls command.
Updated inheritance text to include no propagation rights details and displayed separately in the rights view.
Changed the icons used in trustee mode to the same as used in AD Permissions Reporter, to make it easier to see which permissions are applies to the trustee.
Fixed index error when assigning the NT Authority\Self to a trustee.

AD Properties
Fixed context menu on delegation tab to allow linked SPN tests.
Fixed memberof bug, some groups are not displayed if the displayname is not set.
Added option to display the time and date when changes to the group membership happened.
Updated to display the Fine Grain Password details for both users and groups.
Updated Logon tab to include Password Expires based on the msDS-UserPasswordExpiryTimeComputed attribute.

AD Sites
Updated to include a dsBind test to test RPC connection, also updated to support profiles.

AD Subnet
Updated to support IP Addresses with CIDR.
Subnet that are not linked to a site are shown as <not assigned>.

Attributes Dialog
Hex dump - now able to provide hex dump of security descriptor for non-admin users.

Attribute Replication
Updated to display all the attributes of the selected object across the selected domain controllers.

Base64
Updated to support encoding a SID string to binary in Base64 and back to SID String.

DC Resolution
Removed port 3389 from default list of ports, added for testing and shouldn't be there.

Error Messages
Updated to also return error details for WinInet error codes.

GPO Explorer
Added GPO testing functionality similar to that of GPOTool.exe. See How To Test GPOs as GPOTool is no longer available.
Update security tab to include the rights view of the permissions assignment.
Fixed display updates when switching from OU to WMI and back again.

GUID Search
Updated to now search for the entered GUID against common object GUID, and option to search against all GUID attributes found as part of the dynamic attribute discovery.

LDAP Browser
Added button to allow a DN to be opened in a separate window.
Updated to include a Restore Objects for deleted objects, see How To Restore deleted AD objects.

LDAP Search
Added option to limit the number of records returned.  Update Favorite Import to support import of multiple favorite in one go.
Updated the DNSProperty decode to support all data types.
Updated favorites variables to include ##root to specific the root DN of the forest.
Updated to support different Ordering OIDs on the sort field, see Sort for more details.
Certificate verification date format now based on regional settings.  When connecting using SSL it will now displays the SSL connection information.
Fixed intermittent exception error that could happen when using meta data attribute types.
Fixed bug in the getdn subst variable that could cause an exception.
LDAP Search Enum dialog - Updated context menu to allow selection of bit operator.
Define the enum DecodesType for GPOptions, ServerState, ForceLogoff.
Set DecodeType for AuditPolicy to DecodeType BIN.
Added DecodeType GMSAPWD.PWD_B and GMSAPWD.PPWD_B to display GMSA password in byte based binary output.

Object Count
Updated to save the count details, with subsequent counts shows the delta between the counts.

Object MetaData
Updated to also display the value of the value of the attribute and changed time to display local time.

Organization Structure
Fixed exception that can occur when multiple Left SD menu item selected.
Added additional logic to detect circular references.
Added an extra context menu item to display a separate window with the org structure.

Ping
Added option to specify the ICMP packet size used for the ping.

Permissions dialog
Added additional caching at the profile level to improve performance and reduce data requests. Also improves the performance of AD Permissions Browser,  and GPO explorer.
Added Inheritance details to the status bar.

Resolver
Updated test options so any entry is added to the resolver history.
Fixed columns update so blank attributes are shown correctly.

Schema Version
Updated to support Exchange 2019 CU11, CU12 & 2016 CU22, CU23.

SDProp
Updated to include support Service Managed Accounts and improved performance.

SID Converter
Updated to include icons for resolved names and now if a SID is not found, it will now check if the domain SID exists to confirm if the SID has been deleted or the domain is invalid.

Site Browser
Updated to displays bridgehead servers in the site settings view.
Added addition error reporting for Validate function and added DsBind test.
Subnets that are not linked to a site are shown as <not assigned>.

Token Size
Updated the connection to use the GC to correctly resolve cross forest groups and fixed bug were multiple entries in SIDHistory caused the token size to be calculated incorrect.

User Search
Fixed bug where from a child domain, the Use GC option didn't use the root of the forest for the search.

User Search dialog
Updated so if only one user account found and it matches the search, it automatically returns the single entry.

Predefined Queues
The follow queues have been updated:

AD: Invalid Pwd Change (All users)
AD: Invalid Pwd Change (Nominated user)
AD: List gMSA Accounts
AD: List MSA Accounts
AD: Restore Deleted User
AD: RootDSE Modify - Dump Database
Users: Invalid characters for O365
Users: Mail and UserPrincipalName different

How To Compare the Permissions of Two AD Objects

The permissions for a object in AD are stored in the ntSecurityDescriptor attribute, these permissions are used to control who can access the object.  When troubleshooting access issues, it is sometimes useful to be able to compare the permissions that are assigned to two different objects.  With v1.30.11 above there is now simple method to compare the permissions between two different objects.

The context menu in NetTools now provides two additional menu items to allow permissions of objects to be compared:

  • Select left SD to compare
  • Compare to 'left object' SD
Compare Menu Items

To compare the permissions or security descriptors (SD), select the first object and select the Select left SD to compare option, this will set the object as the left items.  Then find the second object you want to compare against, and then select the Compare to 'left name' SD option and the compare Permissions dialog box will be displayed.

Compare Permissions

Compare two user objects

The easiest method to compare two user objects is use the quick search option to find the first user, enter the user name in the quick search box and press enter, in this case we are searching for greynolds.

Quick Search

From the Search results, right click on the greynolds object and select the Select left SD to compare

Compare Left

If we search for the second user object, and then right click on the second user and select the Compare to 'Gary Reynolds' SD menu item and the Compare Permissions dialog will be displayed.

Compare SD Item

The comparison between the two objects will be displayed.

Compare Permissions Result

Click on the column header with a '*' to select options to filter the displayed ACEs.

Compare Permissions Options

Compare Other Objects

To compare objects other than users, use one of NetTools options to find the object you are looking for, i.e. LDAP Browser, LDAP Search, ACL Browser, GPO Explorer, etc.  all these options have the same context menus to allow to you to compare permissions against any other object.

See Comparing AD Permissions for more information

How To Import an AD Permissions Report Filter

The AD Permissions Reporter option provides the ability to export and import filters, this post provide details on how to import a filter.

This is a sample of a filter text

[Find Deny Permissions Assigned to a user]
Count=1
Options=18437
Rule1_Enabled=1
Rule1_Options=1280
Rule1_SDControl=0
Rule1_SDNotControl=0
Rule1_SDNullAcl=0
Rule1_Prompt=1
Rule1_Token=1
Rule1_Scope=12
Rule1_NotScope=0
Rule1_ACEType=2626
Rule1_ACEFlags=0
Rule1_ACENotFlags=0
Rule1_Perms=0
Rule1_NotPerms=0
Rule1_MatchRules=546

Here are the steps required to import the filter.

  1. Click on the Select button
  2. Click on the Import button
  3. Paste the filter into the dialog
  4. Click Add button
AD Permissions Reporter - Import Filter

Once the filter is imported the list will be updated, now select the new filter from the list.

AD Permission Reporter - Select Filter